UMA 2.0 Issues

By: Hector Rodriguez user 08 Sep 2017 at 7:28 a.m. CDT

6 Responses
Hector Rodriguez gravatar
Hi everyone, I've been testing UMA 2.0 for the last 2 days and I have one question and some additional info for other people who might be going through the same tests as me. I'm going to mainly describe the UMA flow and all typos, documentation errors and -possibly- unintended behaviours I've found: - Resource registering: The parameters included in the UMA API section are not correct. The "scopes" parameter should be "resource_scopes". - Ticket Request (Permission Registration): The UmaPermission data structure needs "resourceId" replaced by "resource_id" and "scopes" replaced by "resource_scopes". - Token Endpoint (RPT request): The information about this request is missing "client_id" and "client_secret" parameters. Once I've reached this point of UMA flow, I receive a JSON response like this: ``` { "pct": "ef64ab3c-c370-401c-bb0d-b2912fea5952_BACB.A00A.FDF6.BBAF.B764.56F0.1908.9863", "upgraded": false, "access_token": "af5a2839-c36a-42ad-9c34-57d1e92388d2_637D.B902.8304.C183.FDEC.D63F.7018.8588", "token_type": "Bearer" } ``` **First of all, my first question**: Are the access_token and pct supposed to have that scructure? (looks like a code concatenated to an ID). There's something that I should clarify. If I activate the sample rpt_claims by client ID script, I will get the expected behaviour (access denied by policy), and if I add my client ID to the list I get the previously mentioned response. Even though the AM platform responds with this JSON, I get the following LDAP persistence error: ``` 2017-09-08 13:46:17,724 ERROR [qtp1020391880-15] [org.xdi.oxauth.uma.service.UmaPctService] (UmaPctService.java:137) - Failed to persist PCT, code: ef64ab3c-c370-401c-bb0d-b2912fea5952_BACB.A00A.FDF6.BBAF.B764.56F0.1908.9863. Failed to persist entry: oxAuthTokenCode=ef64ab3c-c370-401c-bb0d-b2912fea5952_BACB.A00A.FDF6.BBAF.B764.56F0.1908.9863,ou=pct,ou=uma,o=@!BE05.3C1E.6575.A7AC!0001!57A7.6968,o=gluu org.gluu.site.ldap.persistence.exception.EntryPersistenceException: Failed to persist entry: oxAuthTokenCode=ef64ab3c-c370-401c-bb0d-b2912fea5952_BACB.A00A.FDF6.BBAF.B764.56F0.1908.9863,ou=pct,ou=uma,o=@!BE05.3C1E.6575.A7AC!0001!57A7.6968,o=gluu at org.gluu.site.ldap.persistence.LdapEntryManager.persist(LdapEntryManager.java:99) ~[oxcore-ldap-3.1.0.Final.jar:?] at org.gluu.site.ldap.persistence.AbstractEntryManager.persist(AbstractEntryManager.java:90) ~[oxcore-ldap-3.1.0.Final.jar:?] at org.gluu.site.ldap.persistence.LdapEntryManager$Proxy$_$$_WeldClientProxy.persist(Unknown Source) ~[oxcore-ldap-3.1.0.Final.jar:?] at org.xdi.oxauth.uma.service.UmaPctService.persist(UmaPctService.java:135) [classes/:?] at org.xdi.oxauth.uma.service.UmaPctService.createPctAndPersist(UmaPctService.java:118) [classes/:?] at org.xdi.oxauth.uma.service.UmaPctService.updateClaims(UmaPctService.java:60) [classes/:?] at org.xdi.oxauth.uma.service.UmaTokenService.requestRpt(UmaTokenService.java:89) [classes/:?] at org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.requestAccessToken(TokenRestWebServiceImpl.java:106) [classes/:?] at org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl$Proxy$_$$_WeldClientProxy.requestAccessToken(Unknown Source) [classes/:?] at sun.reflect.GeneratedMethodAccessor349.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [servlet-api-3.1.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:193) [websocket-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:226) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.xdi.oxauth.auth.AuthenticationFilter.processPostAuth(AuthenticationFilter.java:316) [classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:105) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.gluu.oxserver.filters.AbstractCorsFilter.handleSimpleCORS(AbstractCorsFilter.java:212) [oxcore-server-3.1.0.Final.jar:?] at org.gluu.oxserver.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:108) [oxcore-server-3.1.0.Final.jar:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.xdi.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:55) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Server.handle(Server.java:534) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] Caused by: com.unboundid.ldap.sdk.LDAPException: objectClass: value #1 invalid per syntax at com.unboundid.ldap.sdk.LDAPConnection.add(LDAPConnection.java:1959) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.AbstractConnectionPool.add(AbstractConnectionPool.java:752) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at com.unboundid.ldap.sdk.AbstractConnectionPool.add(AbstractConnectionPool.java:683) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0] at org.gluu.site.ldap.OperationsFacade.addEntry(OperationsFacade.java:494) ~[oxcore-ldap-3.1.0.Final.jar:?] at org.gluu.site.ldap.persistence.LdapEntryManager.persist(LdapEntryManager.java:94) ~[oxcore-ldap-3.1.0.Final.jar:?] ... 59 more 2017-09-08 13:46:17,726 ERROR [qtp1020391880-15] [org.xdi.oxauth.uma.service.UmaPctService] (UmaPctService.java:85) - Failed to update PCT claims. Failed to find entry: oxAuthTokenCode=ef64ab3c-c370-401c-bb0d-b2912fea5952_BACB.A00A.FDF6.BBAF.B764.56F0.1908.9863,ou=pct,ou=uma,o=@!BE05.3C1E.6575.A7AC!0001!57A7.6968,o=gluu ``` After this, when I try to instrospect the RPT token obtained, I will always obtain "false" as the active parameter. Checking LDAP, the entries under uma_rpt for my client have been created with an attribute named "oxAuthTokenCode" that I guess it is what the server will try to check (at least that what the source code suggests). But when I make the request withe the "token" parameter, I receive the following JSON response: ``` { "active": false } ``` With the following error message on the logs: ``` 2017-09-08 14:25:17,570 ERROR [qtp1020391880-20] [org.xdi.oxauth.uma.service.UmaRptService] (UmaRptService.java:104) - Failed to find RPT by code: null ``` Which suggests that maybe this parameter might also be a typo on docs. So my second question is: **Is this working as intended and I'm missing something? If so, where did I mess things up?** Thanks for your time and patience in advance, Héctor
Gluu Other CentOS72
closed

Answers

By Yuriy Zabrovarnyy staff 08 Sep 2017 at 12:09 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Hi Hector, Thanks a lot for this ticket. 1. Reference documentation is updated, all above typos/issues are fixed. 2. Yes, structure of PCT and access token is as expected. 3. About RPT introspection. Please make sure you are using RPT introspection endpoint from `/uma2-configuration`. If yes, would you please provide curl request. Sample status request ``` POST /rpt/status HTTP/1.1 Host: as.example.com Authorization: Bearer 204c69636b6c69 ... token=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv ``` 4. Regarding PCT persistence, unfotunately there is issue in the schema. It is already fixed and will be available in 3.1.1 version. For now please replace schema on you machine to make PCT work: ``` * service solserver stop * replace file /opt/gluu/schema/openldap/gluu.schema from here https://raw.githubusercontent.com/GluuFederation/community-edition-setup/version_3.1.1/static/openldap/gluu.schema * service solserver start ``` Lets us know how it goes on your side. Thanks, Yuriy Z

By Yuriy Zabrovarnyy staff 08 Sep 2017 at 12:21 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Regarding rpt introspection, it would be helpful to get: 1. curl request 2. ldif of your token (to check data) 3. `oxauth.log` file. Thanks, Yuriy Z

By Hector Rodriguez user 11 Sep 2017 at 1:57 a.m. CDT

Copy
Hector Rodriguez gravatar
Hi Yuriy, First of all, thank you for your answer. I've been able to fix PCT errors by updating LDAP gluu schema. I've also performed all the steps you suggested regarding RPT introspection. My uma2-configuration json indicates that the URL is https://<hostname>/oxauth/restv1/rpt/status. Using the one showed in the example throws an error. - cURL request: ``` curl -X POST \ https://<hostname>/oxauth/restv1/rpt/status \ -H 'authorization: Bearer 77809a40-2def-475a-9791-5ad5c5421a35' \ -H 'cache-control: no-cache' \ -d '{ "token":"51731e9e-cac6-4952-99df-a309a53a699a_6687.EE1F.A803.F4FA.E6D4.0005.DD2B.B8AB" }' > POST /oxauth/restv1/rpt/status HTTP/1.1 > User-Agent: curl/7.29.0 > Host: ------ > Accept: */* > authorization: Bearer 3f8857df-5c40-4577-ac69-025df8eb88bb > cache-control: no-cache > content-type: application/json > Content-Length: 90 > * upload completely sent off: 90 out of 90 bytes < HTTP/1.1 200 OK < Date: Mon, 11 Sep 2017 06:23:43 GMT < Server: Jetty(9.3.15.v20161220) < X-Xss-Protection: 1; mode=block < X-Content-Type-Options: nosniff < Strict-Transport-Security: max-age=31536000; includeSubDomains < Cache-Control: no-transform, no-store < Content-Type: application/json < Connection: close < Transfer-Encoding: chunked < * Closing connection 0 {"active":false} ``` - LDIF: ``` 2d6d03cd-b345-4ea6-93a3-7b5b8014e5cd, uma_rpt, @!BE05.3C1E.6575.A7AC!0001!57A7.6968!0008!B5A4.F074.C2A2.99E0, clients, @!BE05.3C1E.6575.A7AC!0001!57A7.6968, gluu dn: uniqueIdentifier=2d6d03cd-b345-4ea6-93a3-7b5b8014e5cd,ou=uma_rpt,inum=@!BE05.3C1E.6575.A7AC!0001!57A7.6968!0008!B5A4.F074.C2A2.99E0,ou=clients,o=@!BE05.3C1E.6575.A7AC!0001!57A7.6968,o=gluu oxAuthClientId: @!BE05.3C1E.6575.A7AC!0001!57A7.6968!0008!B5A4.F074.C2A2.99E0 oxAuthTokenCode: 51731e9e-cac6-4952-99df-a309a53a699a_6687.EE1F.A803.F4FA.E6D4.0005.DD2B.B8AB oxAuthCreation: 20170911064614.407Z oxAuthExpiration: 20170911065114.407Z uniqueIdentifier: 2d6d03cd-b345-4ea6-93a3-7b5b8014e5cd objectClass: top objectClass: oxAuthUmaRPT oxUmaPermission: oxTicket=0869b790-a3e5-48fb-946e-6ed66e67bb87,ou=uma_permission,inum=@!BE05.3C1E.6575.A7AC!0001!57A7.6968!0008!B5A4.F074.C2A2.99E0,ou=clients,o=@!BE05.3C1E.6575.A7AC!0001!57A7.6968,o=gluu ``` And finally, oxauth.log only shows: ``` 2017-09-11 08:46:31,685 ERROR [qtp1020391880-16] [org.xdi.oxauth.uma.service.UmaRptService] (UmaRptService.java:104) - Failed to find RPT by code: null ``` Thanks, Hector

By Yuriy Zabrovarnyy staff 11 Sep 2017 at 7:31 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Hector, It seems web service did not find token code. Web service expects token code passed as form `token` paramater (not json body data in payload of request). The reason of changing format is because UMA 2 trying to stick as close to OAuth as possible, so token request and introspection are using OAuth way of passing data. Curl like this should work: ``` curl -X POST \ https://<hostname>/oxauth/restv1/rpt/status \ -H 'authorization: Bearer 77809a40-2def-475a-9791-5ad5c5421a35' \ -H 'cache-control: no-cache' \ -d 'token=51731e9e-cac6-4952-99df-a309a53a699a_6687.EE1F.A803.F4FA.E6D4.0005.DD2B.B8AB }' ``` Thanks, Yuriy Z

By Yuriy Zabrovarnyy staff 11 Sep 2017 at 7:33 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Doc reference ``` https://gluu.org/docs/ce/3.1.0/api-guide/uma-api/#path_5 ```

By Hector Rodriguez user 11 Sep 2017 at 7:41 a.m. CDT

Copy
Hector Rodriguez gravatar
Yuriy, I had missed that detail. Now everything is working as expected. Thanks for the assistance! Hector

Post an answer